Bug 9788 - 'acl:search = no' problem is not fully fixed and parameter is still required
'acl:search = no' problem is not fully fixed and parameter is still required
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.0.5
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-12 14:35 UTC by Marc Muehlfeld
Modified: 2015-07-31 08:24 UTC (History)
2 users (show)

See Also:


Attachments
Level 10 debug log of a failed try to join Win7 (without acl:search=no parameter) (87.27 KB, application/x-bzip2)
2013-04-12 14:35 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2013-04-12 14:35:39 UTC
Created attachment 8768 [details]
Level 10 debug log of a failed try to join Win7 (without acl:search=no parameter)

I'm sorry, but the 'acl:search=no' workaround is still required and not fully fixed.

Yesterday we switched to 4.0.5 and I run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset all my ACLs. Then I recreated the delegation, so members of a group can join computers to the domain without having domain admin permissions (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Add_delegation). The join as a member of that group worked as expected.

Then I removed the 'acl:search=no' parameter from smb.conf and restarted samba. Now XP says, when trying to join, 'access denied' and Win7 says 'wrong parameter' and the joins didn't work.

After I add the parameter again to smb.conf, the join worked fine again.
Comment 1 Andrew Bartlett 2013-05-21 02:02:56 UTC
As I indicated on the lists, we really need a concrete test (modification to acl.py hopefully) that fails against Samba and passes against Windows, in order to make progress here.